diff options
| author | adam <adam@pkgsrc.org> | 2017-09-06 15:19:17 +0000 |
|---|---|---|
| committer | adam <adam@pkgsrc.org> | 2017-09-06 15:19:17 +0000 |
| commit | 4c073488b3a219d70a7aee530f328ec7028643ec (patch) | |
| tree | 15a4cc80c8ff04f93b81a0eaf0b7bed8aa5b2e4b /www | |
| parent | 8588286a7bf1edaf725015e9248450b7054b7690 (diff) | |
| download | pkgsrc-4c073488b3a219d70a7aee530f328ec7028643ec.tar.gz | |
Django 1.11.5:
CVE-2017-12794: Possible XSS in traceback section of technical 500 debug page¶
In older versions, HTML autoescaping was disabled in a portion of the template for the technical 500 debug page. Given the right circumstances, this allowed a cross-site scripting attack. This vulnerability shouldn’t affect most production sites since you shouldn’t run with DEBUG = True (which makes this page accessible) in your production settings.
Bugfixes:
Fixed GEOS version parsing if the version has a commit hash at the end (new in GEOS 3.6.2).
Added compatibility for cx_Oracle 6.
Fixed select widget rendering when option values are tuples.
Django 1.11 inadvertently changed the sequence and trigger naming scheme on Oracle. This causes errors on INSERTs for some tables if 'use_returning_into': False is in the OPTIONS part of DATABASES. The pre-1.11 naming scheme is now restored. Unfortunately, it necessarily requires an update to Oracle tables created with Django 1.11.[1-4]. Use the upgrade script in 28451 comment 8 to update sequence and trigger names to use the pre-1.11 naming scheme.
Added POST request support to LogoutView, for equivalence with the function-based logout() view.
Omitted pages_per_range from BrinIndex.deconstruct() if it’s None.
Fixed a regression where SelectDateWidget localized the years in the select box.
Fixed a regression in 1.11.4 where runserver crashed with non-Unicode system encodings on Python 2 + Windows.
Fixed a regression in Django 1.10 where changes to a ManyToManyField weren’t logged in the admin change history and prevented ManyToManyField initial data in model forms from being affected by subsequent model changes.
Fixed non-deterministic results or an AssertionError crash in some queries with multiple joins.
Fixed a regression in contrib.auth’s login() and logout() views where they ignored positional arguments
Diffstat (limited to 'www')
| -rw-r--r-- | www/py-django/Makefile | 4 | ||||
| -rw-r--r-- | www/py-django/distinfo | 10 |
2 files changed, 7 insertions, 7 deletions
diff --git a/www/py-django/Makefile b/www/py-django/Makefile index b8e5f8cd186..96220668eec 100644 --- a/www/py-django/Makefile +++ b/www/py-django/Makefile @@ -1,6 +1,6 @@ -# $NetBSD: Makefile,v 1.89 2017/09/04 18:08:30 wiz Exp $ +# $NetBSD: Makefile,v 1.90 2017/09/06 15:19:17 adam Exp $ -DISTNAME= Django-1.11.4 +DISTNAME= Django-1.11.5 PKGNAME= ${PYPKGPREFIX}-${DISTNAME:tl} CATEGORIES= www python MASTER_SITES= https://www.djangoproject.com/m/releases/${PKGVERSION_NOREV:R}/ diff --git a/www/py-django/distinfo b/www/py-django/distinfo index 05adc1eab0e..5059d6fac95 100644 --- a/www/py-django/distinfo +++ b/www/py-django/distinfo @@ -1,6 +1,6 @@ -$NetBSD: distinfo,v 1.69 2017/08/02 10:45:09 adam Exp $ +$NetBSD: distinfo,v 1.70 2017/09/06 15:19:17 adam Exp $ -SHA1 (Django-1.11.4.tar.gz) = 2fd515ec779ab9bced0f96d92a22de9b726beadf -RMD160 (Django-1.11.4.tar.gz) = 17925e46904c586e120ed8766eb6debbe98a4bdb -SHA512 (Django-1.11.4.tar.gz) = 4a96b25f6a2211b2985deaafc04ed5c167eed8835f51b8234bd479787f99f257faffbaa11de85fa28736540b0decf85dd386ca041e1b9888b958f04a3b0066c6 -Size (Django-1.11.4.tar.gz) = 7870752 bytes +SHA1 (Django-1.11.5.tar.gz) = c16f8090c2251ff03e041afda77264474777a2d7 +RMD160 (Django-1.11.5.tar.gz) = 76c2246e8e292109dcb1462f96cd7891cc63baf9 +SHA512 (Django-1.11.5.tar.gz) = bd43524d80721f10e98ca1cb2d487b51258c5e66febcda4ff4487c4c057f2920bb84452ff966b1cfe5dbb7d11138b467f7e1d65017ac9dd92f76497147fce89c +Size (Django-1.11.5.tar.gz) = 7875054 bytes |